Enterprise Secure Remote Access Feature Set

Going far beyond a typical IT VPN, an enterprise secure remote access solution should layer in security for IT network & systems in support of a defence-in-depth strategy. Most security professionals recognize that delaying attackers, complicating their attack path, or incurring upon them excessive costs are all barriers to mitigating risk of complete malicious outsider penetration and access to critical assets. Technology feature sets that should be part of an Industrial Grade Secure Remote Access solution are listed below:

• A single, outbound-initiated remote connection between protected enterprise assets and the centralized communication server, to provide robust security similar to a “data diode,” but with all the additional benefits of bidirectional communication.
• The ability for on-premise personnel to have the final say in granting remote access to any system. Remote access requests can be configured to require approval by an authorized personal at head-quarter/site, who is able to supervise and video record the remote activity.
• Extensive granular controls, such as permissions for each user, preventing them from executing specific remote activities or granting them view-only permissions that prevent them from performing any other remote activity.
• Advanced encryption, using Transport Layer Security (TLS) v1.2 and higher, with 2048bit encryption. FIPS 140-2 validated cryptographic modules are also important. (Federal Information Processing Standards (FIPS) is a US-government computer security standard put in place by the National Institute of Standards and Technology.)
• Use of certificates for authentication, following standard public key/private key cryptography protocols, including to negotiate and transfer symmetric key for data encryption.
• Support for two-factor authentication with customized access controls.
• Password vaulting that allows the use of mapped accounts without disclosing internal shared credentials to less trusted third parties.
• Full audit trail of authorizations, protocols, sessions, users, etc. – Audits logs stored in two isolated locations
• Authorization and expiration per session, per-user, per-protocol
• Just-in-time, point-to-point channel is established within reverse-tunnel after authorization
• Remote user/computer is never part of the trusted network

ACCOMMODATING FOR SCALE

Another consideration for laying this foundational technology is the ability to scale and grow capabilities as operations evolve.

CONCLUSION

Managing Dynamic Risk Conditions

In recent years, cybersecurity attacks have increased against enterprises, and the nature of risks remains dynamic. Implementing a centralized, secure remote access solution lays the foundation for agility as needed for business continuity in compliance with cybersecurity best practices.

In addition, more recent concerns such as health pandemics may have longer-reaching consequences that are difficult to predict. Implementing a robust architecture that allows for flexible staffing and ongoing operations despite personnel disruptions can represent a wise investment.